Isn't DNS-01 challenge what the option above does?
Yep, it does.
Then (part of) my problem is not about options to run it anytime as suggested by @jvanasco. My maintenance window is not to renew the certificate, but to get the renewed certificates into other systems. Systems some are dumb enough to require restarts of the entire OS and eating 10+ minutes to get back up, while others refresh their services and are back in a matter of seconds. Hence the somewhat tighter control requirement over when this happens, instead of just letting the certbot client do its thing as it does for a simple and single web server.
Ah, sorry, I forgot about that by the time I read the comment I replied to.
It sounds like you designed a lot of this around Certbot, instead of using Certbot (or any other ACME client) as a part of your solution.
Given what you shared about those secondary systems, I would probably run Certbot automatically on the "deployment manager" machine to ensure you always have usable certificates; then I'd have a second process alert me when it detects new certificates and either deploy them on the next available window, or instruct me do that manually. The "monitor" process might just inspect the directory, or have the new certificates registered via a --deploy-hook
.
I like using https://fabfile.org (a Python library) to write scripts that do that sort of deployment automation.
I would be lying if I say my script isn't written around certbot. I had a working mechanism to update my DNS servers up and running a few weeks after DNS-01 challenges were available by LE in 2016 (thanks to all the hints provided by dehydrated). I had hooks to my supporting tools working even before that - this was the trigger: Tutorial: Get Letβs Encrypt on Cisco routers/switches (with hints on some of the stupid systems I claimed aren't ACME compatible). I still have logs from when we would run 'letsencrypt-auto' command And all was working, in the right or wrong way, until today, which the whole discussion turned to a great opportunity for improvement.
In a sense, when it was announced the desire of 45-day long certificates (Thanks Tim Apple!), that did not bother me. At all. I feel I'm way ahead of the curve - of course, assuming I can get a certificate
Most of what my in-house solution does has been, in time, incorporated into certbot. I agree your recommendation of the deployment and distribution managers makes a ton of sense, using certbot as central part of the solution, now that it seems to be capable of doing most, if not all, I have developed. Still need to play a lot in the staging environment.
Lastly, thanks for the fabfile hint. I rely a lot on paramiko, but again, I'm old school, I tend to reinvent the wheel more often than I should.
Oh wow, if you're good with Paramiko... Fabric is pretty much writing pseudocode around that.
I have at least 8 active projects that use Fabric to manipulate and deploy Certbot procured assets as needed. I run my own client for a specific work project, but it's overkill for everything else. I originally leveraged Certbot for everything and used the --deploy-hook
, but that started to become difficult to manage. For simple things I still use the deploy hook, but for more complex things I just have a Fabric script on cron to analyze the certbot directory for new data (and I store everything in sqlite3 so it's easy to recall and do metrics against), and then I can take appropriate actions. This gives me a bit of reassurance, because my procurement failures are isolated from my deployment failures -- so I can more easily recover from the rare occasional issue.